Can't access Symantec, McAfee, Sophos sites

I'm running Windows XP SP1 (Home Edition) & IE 6 SP1 and all of a sudden I can't run my Norton Live Update and can't even access the Symantec, McAfee, Sophos web sites. I get a page cannot be displayed. In my running processes there appears a msawindows.exe entry. The file is located in my Windows\System32 folder and is 138KB. The file does not have a version tab and has no references to Microsoft. I've run a full virus scan and it came up clean and my Norton virus definitions were updated 4/28/04. I've also ran Ad-aware and Spybot S&D which are both up to date and they found nothing. Should I do a System Restore back to a couple of days ago and should I delete the "msawindows.exe" file. I searched google and nothing comes up for that file name. Any help would be appreciated. I've also checked my HOSTS file and it is normal.

Edited to add: msawindows.exe also now appears under the Startup tab and is checkmarked in msconfig. It was nece there before.

Thanks in advance,
Tufenuf

Have you tried running a hijackthis log to see if it contains anything out of the ordinary? If not, you should. You can download Hijackthis from here. Then install the software into a folder of it's own, but not on the desktop. Click Scan, then after it scans, Save Log, when it opens in Notepad, copy and paste the log in this thread. We'll check it for you. ;)

photolady, Here's my HijackThis log.

Logfile of HijackThis v1.97.7
Scan saved at 6:25:35 AM, on 4/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\msawindows.exe
C:\Documents and Settings\Owner\My Documents\HijackThis\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iwon.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {3DE88907-3E38-11D4-BEB2-CBE76C0598DD} - C:\Program Files\ISP40\bin\BandObject.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP40\hta\station.sbrt
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3200] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [mswspl] C:\Program Files\Windows Media Player\wmplayer.exe
O4 - HKLM\..\Run: [Microsoft Update] msawindows.exe
O4 - HKLM\..\RunServices: [Microsoft Update] msawindows.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/s...vest/gwCID.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...874.6221064815
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab

Thanks in advance,
Tufenuf

msawindows.exe seems to be the Windows Update file in your startup folder. This however sounds very suspicious to me because there is no mention of it anywhere.
My guess is its a virus/trojan/spyware that may have neutralized your NAV and blocked certain AV sites. Try to do an on-line virus scan such as Housecall (link in my sig), download A-Squared (in my sig) to scan for trojans, and run CWShredder.

Ok now here's what you need to do. Run Hijackthis again, closing all open windows including IE. Then tell hijackthis to fix the following problems:

O4 - HKLM\..\Run: [Microsoft Update] msawindows.exe
O4 - HKLM\..\RunServices: [Microsoft Update] msawindows.exe
C:\Program Files\ISP40\bin\BandObject.dll (file missing)

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.c...7874.6221064815

Then go to this file: C:\WINNT\System32\msawindows.exe and remove it physically from the computer.

Even though they say M$ updates they are not valid M$ update files.

photolady and usil,

photolady, I ran HijackThis and fixed the items you described and deleted the msawindows.exe file which corrected that problem.

usil, I ran HouseCall and it detected a "DOSAGABOT.AM virus in the C:\WINNT\System32]drivers\etc. folder which it stated was uncleanable.

I checked this out and my HOSTS file was modified as of this morning. Here is a copy of it.

Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

According to the info at the link below which I could reach here is what it says.

The virus appends to the hosts files in order to redirect the below URLs to the IP address 127.0.0.1. This will prevent users from accessing these websites to receive AV updates.

localhost
www.symantec.com
securityresponse.symantec.com
symantec.com
www.sophos.com
sophos.com
www.mcafee.com
mcafee.com
liveupdate.symantecliveupdate.com
www.viruslist.com
viruslist.com
viruslist.com
f-secure.com
www.f-secure.com
kaspersky.com
www.avp.com
www.kaspersky.com
avp.com
www.networkassociates.com
networkassociates.com
www.ca.com
ca.com
mast.mcafee.com
my-etrust.com
www.my-etrust.com
download.mcafee.com
dispatch.mcafee.com
secure.nai.com
nai.com
www.nai.com
update.symantec.com
updates.symantec.com
us.mcafee.com
liveupdate.symantec.com
customer.symantec.com
rads.mcafee.com
trendmicro.com
www.trendmicro.com


http://vil.nai.com/vil/content/v_101100.htm

I can't get to many of those sites listed above and can you good people tell me what my HOSTS file should look like and read. I still can't use LiveUpdate for my Norton AV 2003. I believe if I could get the HOSTS file edited correctly it may solve my problems.

Thanks for all your help on this,
Tufenuf

Hi Tufenuf

The Host file is a text file and for normal situations it is an empty file. Search for it. Open it in Notepad and delete the contents.

Note! the file we are talking about is called 'host' without any extension. BF

Here is some sites with HOSTS file information , you can also download a HOSTS file with many ad sites , tracking sites etc filled in so they are blocked .

http://www.accs-net.com/hosts/

http://www.mvps.org/winhelp2002/hosts.htm

BigFred, "The Host file is a text file and for normal situations it is an empty file. Search for it. Open it in Notepad and delete the contents."

Are you saying that I should open the HOSTS file (no extension) and delete all the contents so that is totally empty.

TIA,
Tufenuf

This is what an "empty" hosts file should look like.

Empty hosts file

DuaneB, My hosts file is exactly the same (see my reply above which has a I copied & pasted it) as the one you posted as an attachment. I'm at a loss as why I can't get to any of the Antivirus sites (Symantec, MacAfee) and I can't run my NortonAV 2003 Live Update either. Any other suggestions would be welcome.

TIA,
Tufenuf

www.ravantivirus.com/scan/indexie.php is by far the best virus scanner I as of last week. Try going there and scanning your computer. It picks up viruses I made myself and a whole lot of other stuff that McAfee and Norton can not even recognize. For example Rootkits bypass McAfee and Norton like they had their back turned and eyes shut when scanning.

Your McAfee link lists Gaobot as an alias. Why not try a removal tool for Gaobot. It won't do any harm if the tool doesn't find anything.
http://securityresponse.symantec.com...oval.tool.html

Or, a more general removal tool McAfee's Avert Stinger v.2.2.2
http://vil.nai.com/vil/averttools.asp

This has me half nuts. The "msawindows.exe" came back and also the entries I fixed in HijackThis. I ran HijackThis again and fixed and removed them (see log in my previous post). I ran RAV on-line scan and it comes up clean and I ran my Norton AV full scan and also came up clean. I still can't reach Symantec sites or McAfee and even was having trouble getting to this site untill I ran HijackThis and fixed the entries for "msawindows.exe" which I also deleted that file again. I can't run Live Update for Norton and it gives me an error but I can't get to the Symantec Support site to look for a fix. Would anyone recommend that I try a System Restore prior to when this horror show began. I didn't open any e-mails or attachments and only visited my normal web sites and had my updated Norton AV running in Real Time mode. I am totally frustrated at this point and never ran into anything like this before. What about a System Restore good people. Please give me your opinions.

TIA,
Tufenuf

System Restore is your friend. Definitely use System Restore if you have a good Restore point from a time before this problem started.

DuaneB, I did a System Restore back to 4/17 and the "msawindows.exe" file didn't come back YET but I still can't access any Symantec, McAfee, Network Associates, Trend Micro, etc. sites. I get a page cannot be displayed at every one of them. I can acess this site and others. What next and I have to get away for awhile before I go completely nuts.

Tufenuf

Check ou IE Restricted sites and see if anything is in there and remove them if so.
Tools/Internet Options/Security Tab/Restricted Sites/Sites
Then if nothing in there go to the regisrty key and double check.
The keys to look at are in:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap

And you want to look in EscDomains and EscRanges. If there is anything in there that you do not completly trust get rid of it. Complete trust means you would let them hold your fith arm with schears.

Unknownerror, Thanks for the reply and I checked both the Restricted sites and the registry but there is nothing out of the ordinary there. There are others having the same problem and hopefully Norton will come up with a solution. I've about had it for today and maybe tomorrow morning my mind will be clearer.

Thanks again,
Tufenuf

Tufenuf:
Sorry to see you are having such trouble. You have helped me on matters several times and if I download the Nortons fix for Gaobot and send it to you, will that help? There may even be more than one version of the virus. Others helping you are far more knowledgeable than I about such matters. Hang tight and you'll get through this nasty thing!! Just trying to help.

buf, I would appreciate if you could send me the Norton Fix for Gabot along with instuctions because I can't get to any of the AV sites to download anything or read instructions. I'll send you a PM with my e-mail address. I won't get to it till tomorrow.

Thanks again,
Tufenuf

Quote:

---

Originally posted by BigFred
Note! the file we are talking about is called 'host' without any extension. BF

---

Every system and PC I've ever worked on it is called hosts with the s

Tufenuf, the info has been sent already. Yell if there is more that I can do. Good luck.
BTW, have just seen your last post.

Tufenuf , make sure you are looking at the right Hosts file,

Look for a file simply called HOSTS , with no extension , that is the one you need .

There is also a file called hosts.sam , with contents exactly as you posted above , which is a sample file not the actual hosts file used by the computer so double check .

You could also look at the links in my post above and download a new hosts file to replace any the one you have at the moment.

To all you good people,

After a good nights rest I finally got my problem corrected. Yesterday when I opened my HOSTS file in Notepad I didn't maximize Notepad so this morning I opened the HOSTS file again and maximized the screen and lo and behold all of the AV sites that I couldn't reach were indeed there towards the bottom. I deleted all of those lines with those sites, saved the change and I can now reach all those sites as well as run my NAV 2003 Live Update. I guess I was in panic mode yesterday as this was the first time in 5 years I've ever had a virus or a problem. All is well again and Thanks for everyone's help.

Thanks again,
Tufenuf

That's great. Glad to hear it.
https://discussions.virtualdr.com/

Best news that I have read today. Happy for you Tufenuf and I suspect we all have had those "panic times" where haste and frustrations hindered our better judgment and rushing through a drill caused additional pains.
Now your day should be complete harmony. :D

This might sound dumb, but did you check the right host file? I was having this problem and did everything on here and when i searched for a host file only one showed up and it looked ok, but it wasnt the right one. i read another article and the host file to check is under the directory C:\windows\system32\drivers\etc, and there it was blocking all antivirus sites!!! so i cleared it out and now it works. here is the article i read on the whole subject.

http://www.pcmag.com/article2/0,1759,1490601,00.asp

pfloyd26 - he fixed the problem, but thanks for the input.

Quote:

---

Originally posted by Tufenuf
To all you good people,

After a good nights rest I finally got my problem corrected. Yesterday when I opened my HOSTS file in Notepad I didn't maximize Notepad so this morning I opened the HOSTS file again and maximized the screen and lo and behold all of the AV sites that I couldn't reach were indeed there towards the bottom. I deleted all of those lines with those sites, saved the change and I can now reach all those sites as well as run my NAV 2003 Live Update. I guess I was in panic mode yesterday as this was the first time in 5 years I've ever had a virus or a problem. All is well again and Thanks for everyone's help.

Thanks again,
Tufenuf

---

I found this message thread doing a web search because I've been having the exact same problem.

Norton Antivirus automatically shuts down 5 seconds after I try to open it. Also, the automatic virus scan has been shut off as well as the email virus scan. I can't run live update because it shuts down before I have a chance. I tried going to symantec.com to download the updates manually, but any page from symantec won't load. Also, when I try to run msconfig, it also shuts down in about 5 seconds, but I had enough time to turn on safeboot.

I turned off system restore and rebooted into safe mode and was able to run Norton antivirus. The only virus it found was something called "Bloodhound" but it wasn't able to repair it, only quarentine it. However, when I returned to my regular desktop, the same problem continued.

I followed the advise given to Tufenuf and ran Hijackthis. I'm including the log below. Could someone take a look at it and tell me what I can do? I don't get the same file with msawindows that was Tufenuf's problem.

By the way, I've also had a problem with an adware called "PurityScan." Spysweeper tells me that it has removed it, but if I run Spysweeper immediately afterward, it still finds the same file. I even downloaded "ps_uninstaller.exe" that was supposed to get rid of the problem, but it doesn't help. Purity Scan hijacks my browser and opens up 4 different ad sites. Any idea on how to get rid of this?


Logfile of HijackThis v1.97.7
Scan saved at 5:31:37 PM, on 6/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\smsc.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Free Surfer\fs20.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\dsrss.exe
C:\WINDOWS\System32\wkssvr.exe
C:\WINDOWS\System32\wserv32.exe
C:\WINDOWS\System32\lsrv.exe
C:\WINDOWS\System32\bzkdhy.exe
C:\Program Files\Spy Sweeper\SpySweeper.exe
C:\Program Files\MSN\MSNCoreFiles\msn6.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\WINDOWS\System32\scrgrd.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [freesurfer] C:\Program Files\Free Surfer\fs20.exe
O4 - HKLM\..\Run: [cache lptt01] "C:\Program Files\cache\cache.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [lsasss.exe] C:\WINDOWS\lsasss.exe
O4 - HKLM\..\Run: [BE6EF182] C:\WINDOWS\System32\buntm.exe
O4 - HKLM\..\Run: [WSAConfiguration] dsrss.exe
O4 - HKLM\..\Run: [Microsoft Updates] wkssvr.exe
O4 - HKLM\..\Run: [Microsoft Update] wserv32.exe
O4 - HKLM\..\Run: [Microsoft Services] lsrv.exe
O4 - HKLM\..\Run: [Windows Update] C:\WINDOWS\System32\xydum.exe
O4 - HKLM\..\Run: [Win32 USB2 Driver] smsc.exe
O4 - HKLM\..\Run: [phytzryct] C:\WINDOWS\System32\bzkdhy.exe
O4 - HKLM\..\Run: [Microsoft Restore] scrgrd.exe
O4 - HKLM\..\RunServices: [WSAConfiguration] dsrss.exe
O4 - HKLM\..\RunServices: [2CE1977D] C:\WINDOWS\System32\buntm.exe
O4 - HKLM\..\RunServices: [Microsoft Updates] wkssvr.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wserv32.exe
O4 - HKLM\..\RunServices: [Microsoft Services] lsrv.exe
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] smsc.exe
O4 - HKLM\..\RunServices: [Microsoft Restore] scrgrd.exe
O4 - HKCU\..\Run: [epgt2ysl84] C:\WINDOWS\gdomnm96pd.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [Microsoft Updates] wkssvr.exe
O4 - HKCU\..\Run: [Microsoft Update] wserv32.exe
O4 - HKCU\..\Run: [Microsoft Services] lsrv.exe
O4 - HKCU\..\Run: [Win32 USB2 Driver] smsc.exe
O4 - HKLM\..\RunOnce: [Win32 USB2 Driver] smsc.exe
O4 - HKCU\..\RunOnce: [Win32 USB2 Driver] smsc.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: Free Surfer (HKLM)
O9 - Extra 'Tools' menuitem: Free Surfer (HKLM)
O9 - Extra button: PartyPoker.com (HKLM)
O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: Dell Home (HKCU)
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/game...ts/y/pt0_x.cab
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...367/wmavax.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai.net/7/224/52/20...eInstaller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{81E9B7A9-DB3B-43D6-B37A-B3F132583BBD}: NameServer = 209.244.0.3 209.244.0.4


Thank you for any help you can provide.

Geobadger, Welcome to the forum. I recommend that you start a new thread in the Security/Viruses forum because this thread is quite old and you'll get a faster response there. There are some HijackThis log experts there. Just explain your problem along with a HijackThis log.

Tufenuf

I actually got the thing fixed finally.

Apparently I had a virus called Gaobot that blocked Norton and access to Symantec.com. I was finally able to get a copy of the newest security updates and run NAV in safemode. 5 days online without an antivirus netted me 97 infected files by 5 different viruses. Jesus.

I had a process running csmss.exe that I had never seen before and was furiously pinging out to the internet. I used Hijack This! to fix the log and then deleted the .exe. Afterwards, I was not able to access certain Symantec sites or do a LiveUpdate!. I did a search for the Hosts file as mention in previous posts, deleted the list of anti-virus sites, and now my problem is solved thanks to this forum.

Thank you all.

:confused: I have exactly the same problem, but do not have msawindows.exe running. I'm about to follow some of the advice in this thread. I'll let you know how I make out.
-Brian